It's the FBIs, NSAs, and Equifaxes of the world versus a swelling movement of Cypherpunks , civil libertarians, and millionaire hackers. At stake: Whether privacy will exist in the 21st century.

By Steven Levy

The office atmosphere of Cygnus
Support , a fast-growing Silicon Valley company that earns its
dollars by providing support to users of free software, seems like a
time warp to the days when hackers ran free. Though Cygnus is located
in a mall-like business park within earshot of US 101, it features a
spacious cathedral ceiling overhanging a cluttered warren of
workstation cubicles arranged in an irregular spherical configuration.
A mattress is nestled in the rafters. In a hallway behind the
reception desk is a kitchen laden with snack food and soft drinks.

Today, a Saturday, only a few show up for work. The action instead is in
a small conference room overlooking the back of the complex -- a
"physical meeting" of a group whose members most often gather in the
corridors of cyberspace. Their mutual interest is the arcane field of
cryptography -- the study of secret codes and cyphers. The very fact
that this group exists, however, is indication that the field is about
to shift into overdrive. This is crypto with an attitude, best embodied
by the group's moniker:
Cypherpunks.

The one o'clock meeting doesn't really get underway until almost three.
By that time around fifteen techie-cum-civil libertarians are sitting
around a table, wandering around the room, or just lying on the floor
staring at the ceiling while listening to the conversations. Most have
beards and long hair -- Smith Brothers gone digital.

The talk today ranges from reports on a recent cryptography conference
to an explanation of how entropy degrades information systems. There is
an ad hoc demonstration of a new product, an AT&T "secure" phone,
supposedly the first conversation-scrambler that's as simple to use as a
standard-issue phone. The group watches in amusement as two of their
number, including one of the country's best cryptographic minds, have
trouble making the thing work. (This is sort of like watching Eric
Clapton struggle with a new, easy-to-play guitar.) There is discussion
of random number generators. Technical stuff, but everything has an
underlying, if not explicitly articulated, political theme: the vital
importance of getting this stuff out to the world for the public weal.

The people in this room hope for a world where an individual's
informational footprints -- everything from an opinion on abortion to
the medical record of an actual abortion -- can be traced only if the
individual involved chooses to reveal them; a world where coherent
messages shoot around the globe by network and microwave, but intruders
and feds trying to pluck them out of the vapor find only gibberish; a
world where the tools of prying are transformed into the instruments of
privacy.

There is only one way this vision will materialize, and that is by
widespread use of cryptography. Is this technologically possible?
Definitely. The obstacles are political -- some of the most powerful
forces in government are devoted to the control of these tools. In
short, there is a war going on between those who would liberate crypto
and those who would suppress it. The seemingly innocuous bunch strewn
around this conference room represents the vanguard of the pro-crypto
forces. Though the battleground seems remote, the stakes are not: The
outcome of this struggle may determine the amount of freedom our society
will grant us in the 21st century. To the
Cypherpunks, freedom is an issue worth some risk.

"Arise," urges one of their numbers, "You have nothing to lose but your
barbed-wire fences."

Crashing the Crypto Monopoly

As the Cold War drifts into deep memory, one might think that the
American body charged with keeping our secret codes and breaking the
codes of our enemies -- the National Security Agency (NSA) -- might
finally breathe easy for the first time in its 30-year existence.
Instead, it is sweating out its worst nightmare.

The NSA's cryptographic monopoly has evaporated. Two decades ago, no one
outside the government, or at least outside the government's control,
performed any serious work in cryptography. That ended abruptly in 1975
when a 31-year-old computer wizard named Whitfield Diffie came up with a
new system, called "public-key" cryptography, that hit the world of
cyphers with the force of an unshielded nuke. The shock wave was
undoubtedly felt most vividly in the fortress-like NSA headquarters at
Fort Meade, Maryland.

As a child, Diffie devoured all the books he could find on the subject
of cryptography. Certainly there is something about codes -- secret
rings, intrigue, Hardy Boys mysteries -- that appeals to youngsters.
Diffie, son of an historian, took them very seriously. Though his
interest went dormant after he exhausted all the offerings of the local
city college library, it resurfaced in the mid-1960s, when he became
part of the computer hacker community at the
Massachusetts Institute of Technology
.

Even as a young man, Diffie's passion for technical, math-oriented
problems was matched by a keen interest in the privacy of individuals.
So it was natural that as one of the tenders of a complicated multi-user
computer system at MIT, he became troubled with the problem of how to
make the system, which held a person's work and sometimes his or her
intimate secrets, truly secure. The traditional, top-down approach to
the problem -- protecting the files by user passwords, which in turn
were stored in the electronic equivalent of vaults tended by trusted
system administrators -- was not satisfying. The weakness of the system
was clear: The user's privacy depended on the degree to which the
administrators were willing to protect it. "You may have protected
files, but if a subpoena was served to the system manager, it wouldn't
do you any good," Diffie notes with withering accuracy. "The
administrators would sell you out, because they'd have no interest in
going to jail."

Diffie recognized that the solution rested in a decentralized system in
which each person held the literal key to his or her own privacy. He
tried to get people interested in taking on the mathematical challenge
of discovering such a system, but there were no takers. It was not until
the 1970s, when the people running the ARPAnet (destined to become the
Internet) were exploring security options for their members, that Diffie
decided to take it on himself. By then he was at
Stanford
, under the thrall of David Kahn's 1967 work, The Codebreakers. It
was a revelatory, well-written, and meticulously documented history of
cryptography, focusing on 20th century American military activities,
including those at the NSA.

"It brought people out of the woodwork and I certainly was one of them,"
recalls Diffie. "I probably read it more carefully than anyone had ever
read it. By the end of 1973, I was thinking about nothing else." He
embarked on what was planned to be a worldwide journey in search of
information on the subject. Gaining access to it was a difficult task,
since almost everything about modern cryptography was classified,
available only to NSA-types and academics. Diffie's sojourn took him as
far as the East Coast, where he met the woman he would eventually marry.
With his future bride, he moved back to Stanford. It was then that he
created a revolution in cryptography.

Specifically, the problem with the existing system of cryptography was
that secure information traveled over insecure channels. In other words,
a message could be intercepted before reaching its recipient. The
traditional methods for securing information involved encoding an
original message -- known as a "plaintext," by use of a "key." The key
would change all the letters of the message so anyone who tried to read
it would see only an impenetrable "cyphertext." When the cyphertext
message arrived at its destination, the recipient would use the same key
to decipher the code, rendering it once again to plaintext. The
difficulty with this scheme was getting the key from one party to
another -- if you sent it over an insecure channel, what's to stop
someone from intercepting it and using it to decode all subsequent
messages?

The problem got even thornier when one tried to imagine encryption
employed on a massive scale. The only way to do it, really, was to have
registries, or digital repositories, where keys would be stored. As far
as Diffie was concerned, that system was screwed -- you wound up having
to trust the people in charge of the registry. It negated the very
essence of cryptography: to maintain total privacy over your own
communications.

Diffie also foresaw the day when people would be not only communicating
electronically, but conducting business that way as well. They would
need the digital equivalent of contracts and notarized statements. But
how could this "digital signature," etched not in paper but in easily
duplicated blocks of ones and zeros, possibly work?

In May 1975, collaborating with Stanford computer scientist Martin
Hellman, Diffie cracked both problems. His scheme was called public-key
cryptography. It was a brilliant breakthrough: Every user in the system
has two keys -- a public key and a private key. The public key can be
widely distributed without compromising security; the private key,
however, is held more closely than an ATM password -- you don't let
nobody get at it. For relatively arcane mathematical reasons, a message
encoded with either key can be decoded with the other. For instance, if
I want to send you a secure letter, I encrypt it with your public key
(which I have with your blessing), and send you the cyphertext. You
decipher it using your private key. Likewise, if you send a message to
me, you can encrypt it with my public key, and I'll switch it back to
plaintext with my private key.

This principle can also be used for authentication. Only one person can
encrypt text with my private key -- me. If you can decode a message with
my public key, you know beyond a doubt that it's straight from my
machine to yours. The message, in essence, bears my digital signature.

Public-key cryptography, in the words of David Kahn, was not only "the
most revolutionary new concept in the field since. . .the Renaissance,"
but it was generated totally outside of the government's domain -- by a
privacy fanatic, no less! By the time Diffie and Hellman started
distributing pre-prints of their scheme in late 1975, an independent
movement in cryptography, centered in academia, was growing. These new
cryptographers had read Kahn's book, but more important, they realized
that the accelerating use of computers was going to mean a growth surge
in the field. This expanding community soon had regular conferences and
eventually published its own scientific journal.

By 1977, three members of this new community created a set of algorithms
that implemented the Diffie-Hellman scheme. Called RSA for its founders
-- MIT scientists Rivest, Shamir, and Adleman -- it offered encryption
that was likely to be stronger than the Data Encryption Standard (DES),
a government-approved alternative that does not use public keys. The
actual strength of key-based cryptographic systems rests largely in the
size of the key -- in other words, how many bits of information make up
the key. The larger the key, the harder it is to break the code. While
DES, which was devised at
IBM
's research lab, limits key size to 56 bits, RSA keys could be any
size. (The trade-off was that bigger keys are unwieldy, and RSA runs
much more slowly than DES.) But DES had an added burden: Rumors abounded
that the NSA had forced IBM to intentionally weaken the system so that
the government could break DES-encoded messages. RSA did not have that
stigma. (The NSA has denied these rumors.)

All that aside, the essential fact about RSA is that it was a working
public-key system, and thus did not suffer from the dire flaw of all
previous systems: the need to safely exchange private keys. It was
flexible enough to be used to address the massive requirements of the
crypto future. The algorithms were eventually patented and licensed to
RSA Data Security
, whose corporate mission was to create privacy and authentication
tools.

As holder of the public-key patents, RSA Data Security is ideally placed
to sell its privacy and authentication wares to businesses. Customers
who plan to integrate RSA software in their systems include Apple,
Microsoft, WordPerfect, Novell, and AT&T. RSA's president, Jim Bidzos, a
non-cryptographer, is a compelling spokesperson for the need for
privacy. He has cast himself as an adversary of the NSA, fighting legal
restrictions on the export of his product. He even has been known to
broadly hint that the NSA has used back-channels to retard the flow of
his products.

Yet a number of privacy activists regard Bidzos and his company with
caution. Some, like Jim Warren, the PC pioneer who chaired the first
Computers, Freedom, and Privacy conference in 1991, are unhappy that a
single company holds the domestic rights to such a broad concept as
public-key cryptography. Others are even more concerned that RSA, a
respectable business, will be unable to successfully resist any
government pressure to limit the strength of the cryptography it sells.

In the Cypherpunk mind, cryptography is too important to leave to
governments or even well-meaning companies. In order to insure that the
tools of privacy are available to all, individual acts of heroism are
required. Which brings us to Phil Zimmermann.

The Pretty Good Revolution

Phil Zimmermann is no stranger to political action. His participation in
anti-nuke sit-ins has twice led to jailings. He has been a military
policy analyst to political candidates. But his vocation is computers,
and he has always been fascinated with cryptography. When he first heard
about public-key crypto he was handling two jobs, one as a programmer
and another unpaid post "saving the world." He was about to find a way
to combine the two. Why not implement a public-key system on personal
computers, using RSA algorithms?

Zimmermann posed this question around 1977, but didn't begin serious
work to answer it until 1984. The more he thought about the issues,
though, the more important the project became. As he later wrote in the
product documentation:

You may be planning a political campaign, discussing your taxes, or
having an illicit affair. Or you may be doing something that you feel
shouldn't be illegal, but is. Whatever it is, you don't want your
private electronic mail or confidential documents read by anyone else.
There's nothing wrong with asserting your privacy. Privacy is as apple-
pie as the Constitution.

What if everyone believed that law-abiding citizens should use postcards
for their mail? If some brave soul tried to assert his privacy by using
an envelope for his mail, it would draw suspicion. Perhaps the
authorities would open his mail to see what he's hiding. Fortunately, we
don't live in that kind of world, because everyone protects most of
their mail with envelopes. So no one draws suspicion by asserting their
privacy with an envelope. There's safety in numbers. Analogously, it
would be nice if everyone routinely used encryption for all their e-
mail, innocent or not, so that no one drew suspicion by asserting their
e-mail privacy with encryption. Think of it as a form of solidarity.

If privacy is outlawed, only outlaws will have privacy. Intelligence
agencies have access to good cryptographic technology. So do the big
arms and drug traffickers. . . But ordinary people and grass-roots
political organizations mostly have not had access to affordable
military grade public-key cryptographic technology. Until now.

Not being a professional cryptographer, Zimmermann moved slowly. By
1986, he had implemented RSA, and a year later wrote a scrambling
function he called Bass-O-Matic, in homage to a Saturday Night Live
commercial for a blender that liquifies fish. Piece by piece he built
his program. In June, 1991, it was ready for release. He named his
software PGP, for Pretty Good Privacy. Though at one time he mused about
asking users for a fee, he subsequently became concerned that the
government would one day outlaw the use of cryptography. Since
Zimmermann wanted the tools for privacy disseminated widely before that
day came, he decided to give PGP away. No strings.

This required some personal sacrifice. Zimmermann missed five mortgage
payments producing PGP. "I came within an inch of losing my house," he
says.

But the effort was worth it. PGP was unprecedented. It was, Zimmermann
claims, faster than anything else available. And despite troublesome
details like patent law and export code, it was very available.

Zimmermann put his first version, which ran only on PCs, on computer
bulletin-board systems and gave it to a friend who posted it on the
Internet. "Like thousands of dandelion seeds blowing in the wind," he
wrote, PGP spread throughout cyberspace. Within hours, people were
downloading it all over the country and beyond. "It was overseas the day
after the release," he said. "I've gotten mail from just about every
country on Earth."

PGP won no popularity contests at RSA Data Security. Jim Bidzos was
incensed that Zimmermann, whom he considers not an altruistic activist
but an opportunist who still hopes to make a buck off stealing
intellectual property, had blithely included RSA's patented algorithms
in PGP. Zimmermann's defense was that he wasn't selling PGP, but
distributing it as a sort of research project. (Some people think that
PGP, by spreading the gospel of public key cryptography, is the best
thing that ever happened to RSA.)

In any case, the legal situation is still hazy, with Zimmermann now
refraining from distributing the software (though he updates the user's
guide and provides guidance and encouragement to those who have chosen
to revise the software).

What does the NSA think about Phil Zimmermann's Johnny Appleseed-like
attempt to bring the world crypto tools? Zimmermann has heard no formal
complaint, even though many believe that PGP's strength in protecting
data is such that it would never be approved for export to foreign
shores. Zimmermann, of course, did not submit PGP to such scrutiny
because he required no export license for international sales -- after
all, he was not selling it. In any case, Zimmermann himself never
shipped the software overseas, warning users that it was their business
if they chose to.

To be extra careful, Zimmermann arranged for the more powerful version
2.0, released last September, to be distributed from New Zealand "into"
the United States, so there would be no question about exporting
forbidden tools. (Due to some regulatory oddities, RSA is patented
"only" in the United States, and thus PGP is a potential patent
infringer only within US borders.)

An uncounted number of US users, probably thousands, have PGP in its
various incarations -- on DOS, Macintosh, Amiga, Atari ST, or VAX/VMS
computers.

At first the silence from the NSA actually worried Zimmermann. He
wondered if it meant that PGP had some sort of weakness, a "trap door"
that the government had identified. But after a session with a world-
class cryptographer, Zimmermann was assured that while PGP had many
inefficiencies, it offered protection at least as strong as the
government-standard DES. It truly was "pretty good" protection. So
people could evaluate it on their own, Zimmermann allowed free
distribution of the source code -- something one does not enjoy with
alternative encryption products. And most of the inefficiencies are
addressed in version 2.0.

(It was only as this article was being prepared, in February 1993, that
Zimmermann was questioned about PGP by two US Customs officials who flew
from California to ask about how the program might have found its way
out of the country. As of press time, it seems that this investigation
might be still active.

Jim Bidzos of RSA, obviously not a disinterested source, claims that not
only Zimmermann, but anyone using PGP, is at risk. He scoffs at
Zimmermann's efforts to stay within the letter of the law, charging that
the use of PGP is "an illegal activity that violates patent and export
law." Bidzos has written to institutions like Stanford and MIT,
informing them that any copies of PGP on their computers would put them
on the wrong side of the law, and he says that the universities have
subsequently banned PGP.)

Still, PGP has changed the world of crypto. It is not a solution to the
problem by any means -- using it adds a degree of difficulty to e-mail
and file transfers -- but it has developed a cult among those motivated
to use it. It's sort of a badge of honor to include one's PGP public key
with e-mail messages.

And until the long-awaited alternative for electronic crypto on the
Internet, Privacy Enhanced Mail (PEM), is released -- after five years
of planning, the release seems near -- PGP is one of the only games in
town. (Other alternatives include an RSA-approved product called RIPEM.)
Even then, many users may stick to PGP. "PEM is technically cleaner but
is bogged down in bureaucracy -- for instance, before you use PEM you
must first register a key with something called a policy certification
authority," says crypto-activist and Cypherpunk John Gilmore. "PGP is
portable, requires no bureaucracy, and has more than a year's head-
start."

Ultimately, the value of PGP is in its power to unleash the
possibilities of cryptography. Tom Jennings, founder of the FIDOnet
matrix of computer bulletin boards, finds the software useful, but
becomes positively rapturous as he contemplates its psychic influence.
To Jennings, a gay activist, cryptography has the potential to be a
powerful force in protecting the privacy of targeted individuals.

"People who never have had cops stomping through their house don't care
about this," Jennings said. He believes that public awareness of these
issues will be raised only by making the tools available. "If you can't
demonstrate stuff, it's hard to explain." On the other hand, said
Jennings, "If we flood the world with these tools, that's going to make
a big difference."

The Empire Strikes Back

The flood to which Jennings refers is now only a trickle. But you don't
have to be a cryptographer to know which way the code will flow. The
flood indeed is coming, and the agency charged with safeguarding and
mastering encryption technologies is about to be thrust into a cypher
age in which messages that once were clear will require tedious cracking
-- and may not be crackable at all. While it is impossible to read the
government's mind concerning the prospects of this scenario (see The NSA
Remains Cryptic, page 57), its actions are telling. The strategy is one
of resistance. The feds are stepping up the war between crypto activists
and crypto suppressors.

The conflict actually began in the late 1970s. As wars go, this one was
more cloak than dagger, with no disappearances in the night -- unlikely
to inspire a movie starring Steven Seagall, or even Robert Redford. As
Diffie explains, "the whole thing has been conducted in a gentlemanly
fashion." Yet the stakes are high: in one view, our privacy; in the
other view, our national security. The government was not above
implicitly threatening independent cryptographers with jail.

According to The Puzzle Palace, James Bamford's classic NSA expose, the
first salvo in the conflict was a letter written in July 1977 by an NSA
employee named Joseph A. Meyer. It warned those planning to attend an
upcoming symposium on cryptography that participation might be unlawful
under an Arms Regulation law, which controls weapons found on the US
Munitions List (cryptographic tools, it turns out, are classified right
alongside tanks and bomber planes). Though the ensuing controversy in
this case blew over, it became clear that NSA regarded what came from
the minds of folks like Whit Diffie to be contraband. In an
unprecedented interview, the then-new NSA Director Bobby Inman floated
the idea that his agency might have the same control over crypto as the
Department of Energy has over nukes. In 1979, Inman gave an address that
came to be known as "the sky is falling" speech, warning that "non-
governmental cryptologic activity and publication. . .poses clear risks
to the national security."

Through the 1980s, both sides became entrenched in their views -- but it
was by far the alternative crypto movement that gathered strength. Not
only was the community growing to the point where government crypto
specialists came to terms with the phenomenon, but computers -- the
devices destined to be crypto engines -- became commonplace. Just as it
was obvious that all communication and data storage was going digital,
it was a total no-brainer that effective cryptography was essential to
the maintenance of even a semblance of the privacy and security people
and corporations enjoyed in the pre-digital era.

And if things are tough for individuals, corporations are in worse shape
-- even their (weakly) encrypted secret plans are being swiped by
competitors. Recently, the head of the French intelligence service quite
cheerfully admitted intercepting confidential IBM documents and handing
them over to French-government-backed competitors. (In cases like these,
weak encryption -- which gives a false sense of security -- is worse
than no encryption at all.)

In the face of this apparent inevitability -- crypto for the masses! --
what's a secret government agency to do? Throw in the towel, let the
market determine the strength of the people's algorithms, and grumpily
adjust to the new realities? No way. The government has chosen this
moment to dig in and take its last stand. The future of crypto, and our
ability to protect our information to the fullest extent, hangs in the
balance.

The specter of what one Cypherpunk calls "Crypto Anarchy" -- where
strong, easy-to-use encryption is accessible to all -- terrifies those
accustomed to the old reality. Perhaps the best expression of these
fears comes from Donn Parker, a think-tank computer security specialist
who is in synch with the government mindset. "We have the capability of
100-percent privacy," he says. "But if we use this I don't think society
can survive."

A somewhat less apocalyptic yet equally stern conclusion comes from
Georgetown University Professor Dorothy Denning, a respected figure in
academic crypto circles: "If we fail to enact legislation that will
ensure a continued capability for court-ordered electronic
surveillance," Denning writes, ". . .systems fielded without an adequate
provision for court-ordered intercepts would become sanctuaries for
criminality wherein Organized Crime leaders, drug dealers, terrorists,
and other criminals could conspire and act with impunity. Eventually, we
could find ourselves with an increase in major crimes against society, a
greatly diminished capacity to fight them, and no timely solution."

Denning has spoken favorably of a plan that sends chills up
Cypherpunk
spines: It allows people access to public-key cryptography only if
they agree to "escrow" their private keys in a repository controlled by
a third party who would, under a judge's order or other dire
circumstance, give it to some government or police body.

Key registries, of course, would require crypto users to trust self-
interested third parties, the very paradox that led Diffie to develop
public-key cryptography. Diffie did not intend private keys to be shared
-- not with colleagues, not with spouses, and certainly not with some
swiftie in a suit who would flip it over to the cops at the first flash
of a warrant. As Electronic Frontier Foundation co-founder John Perry
Barlow put it, "You can have my encryption algorithm. . . when you pry
my cold dead fingers from my private key."

But Dorothy Denning has a point. Unfettered cryptography does have its
trade-offs. The same codes that protect journalists and accountants will
abet the security of mobsters, child molesters, and terrorists. And if
everyone encrypts, there certainly would be a weakening of our
intelligence agencies, and possibly our national security.

As far as the NSA is concerned, its very mission is to establish and
maintain superiority in making and breaking codes. If strong
cryptography enters common usage, this task will be greatly complicated,
if not rendered nearly impossible.

The government itself has taken action on three fronts:

The first is a continuation of the secrecy with which it guards all
information concerning cryptography. Traditionally, the NSA argument for
this has been unimpeachable: Anything, even a seemingly innocuous fact
about what we are doing, or even what we know, gives a potential
adversary an advantage that it would not otherwise enjoy. Thus for
years, even the very existence of the NSA (nicknamed No Such Agency by
some) was denied. However, as cryptography becomes more essential for
the protection of both individuals and corporations, the "anything-we-
disclose-helps-our-enemies" argument is under attack. One of the most
diligent prodders of the National Security Agency in this regard is John
Gilmore (see His Crime: Checking Out a Book, page 58).

The second front is the ingenious use of export controls to limit
the strength of cryptography within this country. Despite the desires of
the NSA, US law currently protects the way people communicate within the
boundaries of the country. Practically speaking however, only the most
motivated communicators take the trouble to employ the cumbersome
measures necessary to encrypt their own data. Routine encryption can be
made easy -- so painless that it happens automatically. But for that to
happen, the mass producers of software would have to include it as a
default standard in their products.

where the export catch kicks in -- companies like Microsoft, Apple,
and WordPerfect find it unprofitable to produce two versions of their
wares, one for domestic use and one for sales abroad. The path of least
resistance is to adhere to the weak-encryption export standards
ostensibly designed to deny strong encryption to our enemies. As a
result, domestic users have less security than they would have
otherwise.

The third front is a legislative initiative known as Digital
Telephony, in which the FBI has taken center stage as the lead actor in
limiting not only crypto, but any system that would pose a problem for
government agents implementing legal wiretaps. The deal proposed to the
public is tempting -- if we don't limit our high-tech communications so
that government agents can easily plug in (and by association this means
limiting crypto), drug smugglers, terrorists, and white-collar criminals
will run rampant. ACLU lawyer Janlori Goldman contends, however, that by
effectively "dumbing down" our entire communications structure, the law
will put a halt to our economy's most competitive industries.

While defending Digital Telephony on ABC's Nightline, FBI chief William
Sessions claimed that the law would merely allow law enforcement to keep
pace with technology. But as Whit Diffie notes, "The most important
impact of technology on communications security is that it draws better
and better traffic into vulnerable channels."

In other words, Digital Telephony, if passed, would grant law-
enforcement access not only to phone conversations, but a whole range of
personal information previously stored in hard copy but ripe for
plucking in the digital age. And if law enforcement can get at it, so
can others -- either government agents over-stepping their legal
authority, or crooks.

In one sense this debate is moot, because the crypto genie is out of the
bottle. The government may limit exports, but strong encryption software
packages literally are being sold on the streets of Moscow. The NSA may
keep its papers classified, but a whole generation of independent
cryptographers is breaking ground and publishing freely. And then there
are the crypto-guerrillas, who have already penetrated deep into the
territory of their adversaries.

The Promise of Crypto Anonymity

The first physical Cypherpunk meeting occurred early last autumn at the
instigation of two software engineers who had developed an interest in
crypto. One was Tim May, a former Intel physicist who "retired" several
years ago, at age 34, with stock options sufficient to assure that he
would never flip a burger for Wendy's. May, who reluctantly permits
journalists to pigeon-hole him as a libertarian, is the in-house
theoretician, and author of the widely circulated "Crypto Anarchist
Manifesto." The other founder, Eric Hughes, has become the moderator of
the physical meetings, maintaining an agenda that mixes technical issues
of Cypherpunk works-in-progress to reports from the political front.

It would be wrong to think of Cypherpunks as a formal group. It's more a
gathering of those who share a predilection for codes, a passion for
privacy, and the gumption to do something about it. Anyone who decides
to spread personal crypto or its gospel is a traveler in the territory
of Cypherpunk.

The real action in that realm occurs via The List, an electronic posting
ground which commonly generates more than 50 messages a day. People on
The List receive the messages on their Internet mailboxes and can
respond. The List is sort of a perpetual conversation pit from which
gossip is exchanged, schemes are hatched, fantasies are outlined, and
code is swapped. The modus operandi of Cypherpunks is a familiar one to
hackers -- If You Build It, They Will Come.

As Eric Hughes posted on The List:

Cypherpunks write code. They know that someone has to write code to
defend privacy, and since it's their privacy they're going to write
it...

Cypherpunks don't care if you don't like the software they write.
Cypherpunks know that software can't be destroyed. Cypherpunks
know that a widely dispersed system can't be shut down. Cypherpunks
will make the networks safe for privacy.

As the Cypherpunks see it, the magic of public-key crypto can be
extended far beyond the exchange of messages with secrecy. Ultimately,
its value will be to provide anonymity, the right most threatened by a
fully digitized society. Our transactions and conversations are now more
easily traced by the digital trails we leave behind. By following the
electronic links we make, one can piece together a depressingly detailed
profile of who we are: Our health records, phone bills, credit
histories, arrest records, and electronic mail all connect our actions
and expressions to our physical selves. Crypto presents the possibility
of severing these links. It is possible to use cryptography to actually
limit the degree to which one can track the trail of a transaction.

This is why certain Cypherpunks are hard at work creating remailers
that allow messages to be sent without any possible means of tracing
who sent the message. Ideally, if someone chooses a pseudonym in one
of these systems, no one else can send mail under that name. This
allows for the possibility of a true digital persona -- an "identity"
permanently disembodied from one's physical
being.

Cryptographic techniques can also potentially assure anonymity in more
prosaic exchanges. For instance, in a system designed to protect
privacy, a prospective employer requesting proof of a college degree
will have access to records with that information -- but will only be
able to verify that sole datum. Cypherpunks even discuss certain cases
in which a person's name would be one of the pieces protected -- for
instance, a police officer checking one's license need not know a
driver's name, but only whether he or she is licensed to drive. The
ultimate Crypto Anarchy tool would be anonymous digital money, an idea
proposed and being implemented by cryptographer David Chaum. (Chaum also
first proposed the idea of remailers -- a good example of how the
Cypherpunks are using academic research from the crypto community to
build new privacy tools.)

In essence, the Cypherpunks propose an alternative to the continuation
of the status quo, where cryptography is closely held and privacy is
an increasingly rare commodity. Ultimately, the lessons taught by the
Cypherpunks, as well as the tools they produce, are designed to help
shape a world where cryptography runs free -- a Pac-Man-like societal
maneuver in which the digital technology that previously snatched our
privacy is used, via cryptography, to snatch it back.

Tim May admits that if the whole cryptography matter were put to a vote
among his fellow Americans, his side would lose. "Americans have two
dichotomous views held exactly at the same time," he claims. "One view
is, None of your damn business, a man's home is his castle. What I do is
my business.' And the other is, What have you got to hide? If you didn't
have anything to hide, you wouldn't be using cryptography.' There's a
deep suspicion of people who want to keep things secret."

There's also a legitimate fear that with the anonymous systems proposed
by crypto activists, illegal activities could be conducted more easily,
and crucial messages our government now easily intercepts might never be
noticed. But, as May says, these fears are ultimately irrelevant. Crypto
Anarchy, he believes, is inevitable, despite the forces marshaled
against it. "I don't see any chance that it will be done politically,"
says the Cypherpunk. "[But] it will be done technologically. It's
already happening."

The NSA Remains Cryptic: The
Official Reply
At one time, the National Security Agency would not even admit that it
existed. Now, it has a Public Affairs staff whose usual modus operandi
is to reply to faxed questions from journalists. Attempting to get the
NSA view of the alternative crypto movement, we asked the NSA the
following six questions:

In the past two decades, a considerable community of serious
cryptographers, in both academia and commerce, has emerged. What is the
NSA's role in this evolutionary broadening of the field?

In light of the increasing need for privacy of communications, does
the NSA anticipate less stringent secrecy concerning cryptography
materials it controls?

What is the NSA's position on the desirability of strong
cryptographic methods in individual domestic communications (e-mail,
voice-mail, etc.)? Would it impede your work?

Does the NSA believe that the use of encryption by US citizens and
others communicating across borders impedes its mission?

Does the NSA endorse the idea of a mandatory private-key registry,
accessible to the government in cases when a judge orders it suitable,
for those using public-key cryptography?

Many people I speak to assume that all international communications
are in some way monitored by the NSA. Some people have even speculated
that the NSA routinely captures and in some way scans the entire traffic
volume of the Internet (mail and/or news groups). Are these claims
apocryphal?

Here, in its entirety, is the NSA reply:

The emergence of cryptography in the public sector has stemmed from
the rapid growth in communications and information systems for private
and commercial applications, and efforts to ensure that these systems
are safe from hackers, viruses, and unauthorized access. One of NSA's
primary responsibilities in this arena is to provide the means of
protecting vital US government and military communications and
information systems of a classified nature. NSA maintains a high
degree of expertise in cryptographic technology and keeps abreast of
advancements, domestically and abroad, in order to better protect
vital government communications.

Regarding questions two and three, as we have just stated, NSA is
responsible for protecting US government classified information systems.
We do not anticipate relaxing security and integrity of these government
systems since such disclosure could reduce the effectiveness of these
measures. As for domestic use of cryptography, we have always supported
the use of cryptographic products by US businesses operating
domestically and overseas to protect their sensitive and proprietary
information.

Finally, as a policy matter, NSA does not discuss details of its signals
intelligence operations, including the types of communications it
monitors. Please note, however, that our signals intelligence operations
are exclusively limited to producing foreign intelligence information
considered vital to the security interest of the US. We, therefore,
offer no comment to questions four and six.

In regard to question five and the idea of mandatory key registration,
we defer to the Department of Justice/FBI.

His Crime: Checking Out A Book
One day last November, the Justice Department called John Gilmore's
lawyer. The message they left: Gilmore was on the verge of violating the
Espionage Act. A conviction could send him to jail for ten years. His
crime? Basically, showing people a library book.

It was a fight that Gilmore instigated. As Sun Microsystems employee
number five, Gilmore retired with a bankroll in the millions. Later, he
had the opportunity not only to co-found a new company -- called Cygnus
Support -- but to commit acts of public service. "As I get older," says
the 37-year-old computer programmer, "I realize how limited our time on
Earth is." His cause of choice was the liberation of cryptography, a
field that had fascinated him since he was a boy.

"We aren't going to be secure in our persons, houses, papers, and
effects unless we get a better understanding of cryptography," he says.
"Our government is building some of those tools for its own use -- there
have been breakthroughs -- but they're unavailable to us. We paid for
them."

To remedy this situation, Gilmore and his lawyer, Lee Tien, have tried
to rescue documents from the shroud of secrecy. Gilmore's first major
coup was the distribution of a paper written by a Xerox cryptographer
that the NSA had convinced Xerox not to publish. Gilmore posted the
document on the Net, and within hours, thousands of people had a copy.

Gilmore's next action was to challenge the NSA's refusal to follow
Freedom of Information Act (FOIA) protocols in releasing requested
documents. The documents he sought were 30-year-old manuals written by
William F. Friedman, the father of American cryptography. These seminal
textbooks had been declassified, but later, for undisclosed reasons,
reclassified. The NSA did not respond to Gilmore's request for their
release within the required time-frame, so he took them to court.
Meanwhile, a friend of Gilmore discovered copies of two of the
documents: one in the Virginia Military Institute Library, the other on
microfilm at Boston University. The friend gave copies to Gilmore, who
then notified the judge hearing the FOIA appeal that the secret
documents were actually on library shelves.

It was then that the government notified Gilmore that distribution of
the Friedman texts would violate the Espionage Act, which dictated a
possible ten-year prison sentence for violators. Gilmore sent a sealed
copy to the judge, asking whether his First Amendment rights were being
violated by the notice; he also alerted the press. Meanwhile, worried
about whether the government might stage a surprise search of his house
or business, he hid copies of the documents -- one in an abandoned
building. On November 25, 1992, an article about the case appeared in
the San Francisco Examiner. Two days later, a NSA spokesperson announced
that the agency had once again declassified the texts. (A Laguna Hills,
California publisher, the Aegean Park Press, quickly printed and
released the books, Military Crypt-analysis, Part III, and Part IV.)

Gilmore is still pressing his case, requesting a classified book called
Military Cryptanalytics, Volume III. More important, he hopes to get a
general court ruling that will force the NSA to adhere to FOIA rules,
and possibly even a ruling that part of the Espionage Act, by using
prior restraint to suppress free speech, is unconstitutional.

What if Gilmore wins, and the NSA is forced to reveal all but the most
secret information about cryptography? Would national security be
compromised, as the NSA claims? "I don't think so," says Gilmore. "We
are not asking to threaten the national security. We're asking to
discard a Cold War bureaucratic idea of national security which is
obsolete. My response to the NSA is: Show us. Show the public how your
ability to violate the privacy of any citizen has prevented a major
disaster. They're abridging the freedom and privacy of all citizens -- to
defend us against a bogeyman that they will not explain. The decision to
literally trade away our privacy is one that must be made by the whole
society, not made unilaterally by a military spy agency."

Gilmore Speaks to Congress
John Gilmore presented the following "sound bits" to Congress for
consideration as it debates technology policy:

Government investment invariably brings government control, which
is harmful to the development of a communications medium in a free and
open society.

The Government seized control of telegraphy, radio, and television
early in their development, and they have never had full First Amendment
protection.

The Executive Branch is already advocating broad wiretapping, and
banning of privacy technologies, and they don't even own the network. If
the government owned the network, there'd be no stopping them.

The risk of moving society into media where individual rights are
regularly abridged is too great. Economics is pushing us into individual
electronic communication, regardless.

If Congress truly believes in the Bill of Rights, it should get the
hell out of the networking business and stay out of it.

Privacy and authenticity technologies are key to reliable and
trustworthy social and business interactions over networks.

Current government policies actively prohibit and inhibit the
research, design, manufacturing, sale, and use of these technologies.

Taxpayers have been investing many billions of dollars per year in
these technologies -- in the NSA "black budget" -- but have seen no return
on this investment.

Cryptographic paranoia is not limited to the United States. Flush with
enthusiasm over the export prospects for their new digital cellular
telephone system, European telecom companies a year or so ago changed
the name of their cellular phone consortium from Group System Mobile to
Global System Mobile. Unfortunately the new system is not so global
after all. In January, European governments decided to list the new
telephones alongside nuclear fuses and other goods whose export is
restricted in the name of national security.

Like their US counterparts, the European governments' problem with
Global System Mobile -- or GSM as it is more familiarly known -- is that
the phones cannot be tapped. In the name of privacy, each GSM handset
encrypts its signal using an algorithm called A5. As a sort of
backhanded testimonial to A5's effectiveness, NATO governments have
decided that it is far too good to sell to those whose privacy they
would not wish to respect -- like Saddam Hussein's tank corps. So they
have used their powers under the COCOM agreement on "strategic" trade to
limit exports.

The companies making GSM equipment -- which include most of Europe's big
telecoms firms -- don't want an export product that they cannot export.
So they are busily devising a new cryptographic technology -- called A5X
-- which doesn't work as well. The new A5X will be much easier to crack
than the old A5 technology. The two will also be compatible; so in
theory both could be used at the same time -- one for export markets and
one at home. That way GSM could make good on its marketing promise that
one handset will work anywhere in the world. The intriguing question,
however, is whether they will both be used.

Britain's two cellular operators, Vodafone and Cellnet, both say they
have heard hints -- nothing direct, just hints -- that various police and
security services (stuck for the moment with A5) would be happier if
they could eavesdrop on domestic conversations carried on GSM as
conveniently as do their counterparts abroad (who only have to crack
A5X). Racal, Vodafone's parent, recently specified A5X for a network
sold to Australia, which is not a country widely thought of as a threat
to the free world. If cellular companies do indeed swap to A5X at home
to facilitate government eavesdropping, the Cypherpunk movement will
more likely than not go global as well. Keep listening.

Steven Levy (steven@well.com) writes the "Iconoclast" column for Macworld magazine and is the author of "Hackers," "Artificial Life," and "The Unicorn Secret," all unencrypted.